Debian 10264 Published by

A libapache-mod-jk security update has been released for Debian GNU/Linux 8 and 9 Extended LTS to address an issue that could result in the unintended exposure of the status worker and/or bypass security constraints configured in httpd.



ELA-960-1 libapache-mod-jk security update

Package : libapache-mod-jk
Version : 1:1.2.46-0+deb8u2 (jessie), 1:1.2.46-0+deb9u2 (stretch)

Related CVEs :
CVE-2023-41081

The mod_jk component of Apache Tomcat Connectors, an Apache 2 module to forward
requests from Apache to Tomcat, in some circumstances, such as when a
configuration included “JkOptions +ForwardDirectories” but the configuration
did not provide explicit mounts for all possible proxied requests, mod_jk would
use an implicit mapping and map the request to the first defined worker. Such
an implicit mapping could result in the unintended exposure of the status
worker and/or bypass security constraints configured in httpd. As of this
security update, the implicit mapping functionality has been removed and all
mappings must now be via explicit configuration. This issue affects Apache
Tomcat Connectors (mod_jk only).

ELA-960-1 libapache-mod-jk security update